-- +goose Up
-- +goose StatementBegin

-- Squid forward-proxy ACL entries. Generator merges all active rows
-- into /etc/edgeguard/squid/squid.conf via internal/squid templates.
--
-- acl_type matches squid's vocabulary: src, dst, dstdomain, port,
-- proto, time, url_regex, urlpath_regex, ...
-- action is allow|deny.
CREATE TABLE IF NOT EXISTS forward_proxy_acls (
    id         BIGSERIAL PRIMARY KEY,
    name       TEXT NOT NULL,
    acl_type   TEXT NOT NULL,
    value      TEXT NOT NULL,
    action     TEXT NOT NULL,
    priority   INTEGER NOT NULL DEFAULT 100,
    active     BOOLEAN NOT NULL DEFAULT TRUE,
    comment    TEXT,
    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
    CONSTRAINT forward_proxy_acls_action_check CHECK (action IN ('allow', 'deny'))
);

CREATE INDEX IF NOT EXISTS idx_forward_proxy_acls_priority ON forward_proxy_acls (priority DESC);
CREATE INDEX IF NOT EXISTS idx_forward_proxy_acls_active   ON forward_proxy_acls (active) WHERE active;

-- +goose StatementEnd

-- +goose Down
-- +goose StatementBegin
DROP TABLE IF EXISTS forward_proxy_acls;
-- +goose StatementEnd